Guest Blogs

As attack sophistication and frequency increase, the likelihood of an attacker breaching an organization’s defense has never been higher. Increasingly successful in their attempts, attackers seek privileged accounts to achieve their mission. Privileged accounts proliferate throughout an organization’s IT environment, granting access to highly sensitive resources and paving the path of successful cyber attacks. To prevent a threat from escalating into a full-blown security breach, security teams must prioritize alerts for privileged accounts, quickly investigate these critical threats and take immediate action to stop attackers in their tracks.

Today’s security professionals are overwhelmed with alerts that require manual analysis (and ultimately, time) to validate and prioritize. This time presents an opportunity for attackers to exploit a system and gain privileged access—all before a complete investigation can be conducted.

Once a privileged account, such as domain or database administrator, is captured, an attacker can move laterally at-will, disabling security controls to avoid detection and persist long term. In fact, valid privileged access is one of the most effective tools an attacker can add to his/her arsenal. To mount an effective defense, security programs must be bolstered with automation capabilities to increase incident response efficiencies and decrease response time. This provides the visibility, context and response that matters most to an organization.

The Need for an Integrated Solution

Security teams seek solutions that provide context and enriched insight, as well as the tools needed to investigate, contain and remediate incidents. Multiple joint customers of CyberArk and Proofpoint requested we combine the incident response and automation of Proofpoint Threat Response together with the Privileged Account Security of CyberArk—and we listened. The way our integrated solution works is both simple and effective.

Real-Time Response to Suspicious Privileged User Activity

Proofpoint Threat Response is an incident response automation platform that provides analysts with alert enrichment, forensic collection and comparison as well as the ability to contain users, hosts and malicious emails—automatically or at the push of a button—without complex playbooks or custom scripts. In this joint solution with CyberArk, Proofpoint Threat Response receives an alert about malicious activity, from a correlated search in Splunk, for example, then automatically enriches the alert data with critical intelligence-driven context. Threat Response then validates the user account by email address or associated IP address, providing the full user identity and attributes such as department, job title or network access and takes action by synchronizing with relevant security groups in Active Directory.

The CyberArk Privileged Account Security Solution provides privileged credential protection, session security, least privilege and application control and continuous monitoring to rapidly detect threats and report on privileged account activity. In this integration, CyberArk automatically retrieves the user group affiliation from Active Directory and provides controls to access privileged accounts according to an organization’s policy. CyberArk also provides security teams the ability to provision custom access policies for restricted users. For example, blocking a user from accessing specific databases containing sensitive cardholder data, while access to less sensitive databases are still valid.

The CyberArk solution can implement an organization’s policies that restrict a user’s access to critical assets only through CyberArk Privileged Session Manager, while blocking all other access options. The CyberArk Privileged Session Manager is a secure proxy server that separates endpoints from target systems and isolates privileged sessions to help prevent the exploitation of the critical system. This level of granularity provides an appropriate level of protection without significantly impacting operations or preventing employees from being productive.

Today’s security teams must do more with less and gain maximum benefit from the tools they already have. The partnership between CyberArk and Proofpoint provides joint customers with a combined best-in-class privileged account security solution and incident response automation and orchestration platform, stopping attackers before they stop business. The best part is this integrated solution is available to joint customers today—at no additional cost.

Throughout the course of my six years in helping KPMG clients with their Privileged Access Management programs, there has rarely been a simple answer to the critical questions of exactly which privileged accounts in an environment should be integrated first (e.g., application/infrastructure/personal accounts), and exactly how we should control each type of privileged account. The ways an organization can control privileged accounts using a solution like CyberArk can vary greatly (e.g. vaulting, password rotation, brokering, etc.).

A common approach to password management includes treating all vaulted credentials with the same level control measures; this is typically a symptom that indicates a lack of a risk-based approach to assigning criticality to accounts. Alternatively, we also see cases of wild inconsistencies in the way passwords are managed, typically leaving it up to the individual platform owners to pick and choose the right security controls for them. This typically an indication of a lack of defined PAM standards that can be applied enterprise-wide. When developing strategies and roadmaps for KPMG clients, our teams apply an “Account Criticality Matrix” to help answer these questions. This matrix is designed to help standardize the way we rate and weigh the criticality of a given account. It includes a set of predefined criteria that we tailor to meet the unique needs of each organization. Example criteria in the Account Criticality Matrix include:

* Number of individuals that have access to a given privileged credential
* Frequency of account usage
* Potential to access sensitive data
* Scope of privilege across single/multiple systems or platforms
* Control level granted

Based on the numerical scoring derived from the Account Criticality Matrix, we then begin to build a profile of what an organization would consider a “high-risk” account versus a “low-risk” account. This profile helps on numerous fronts. First, it allows for consideration of account types that typically would not be considered as true “privileged” accounts. For example, many application or service accounts are inadvertently excluded from management in organizations due to a lack of understanding of enterprise privileged account definitions by the application owner. In the absence of pre-defined account prioritization criteria, those owners are left to decide what constitutes a “privileged” account or not. Many will opt for the latter without prescribed guidance. The matrix will allow an organization to take any account type and provide a standardized metric to determine whether it meets the criteria to be integrated into CyberArk.

The second benefit is the standardization of account controls across the organization based on the calculated account criticality. Depending on licensing and hardware limitations, recording all privileged accounts may not be feasible. Based on a pre-defined policy, an organization could mandate that only “high” rated accounts require dual control and PSM recording, but periodic password rotations of “medium” rated credentials are sufficient.

Thirdly, combining knowledge of “high” severity accounts and implementation effort can provide a window to prioritization of the path of integration. When various stakeholders ask why the decision was made to start with default local accounts first and not their specialized application, you can point them not only to the fact that those accounts rated as high based on the user base, scope of privilege, and access granted, but also because the implementation effort was lowest for those accounts.

Art Chaisiriwatanasai is a Director within KPMG’s Chicago office and is a member of their IT Advisory – Cyber practice. Art has in-depth experience in information security focusing on privileged access management, security operation center implementations, vulnerability management, risk assessment, and incident response initiatives.

Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates.

Case in point, I recently met with an IT director for a retailer to understand how he uses Tenable products. I was surprised to learn that his team was not using the full capabilities for credentialed scans. I proceeded to share the benefits of credentialed scanning, noting the advantages over remote scanning. For example, I explained credentialed scanning can identify whether a patch for a given vulnerability has been applied in a method that is far more accurate (and safer) than running a remote check. Tenable’s credentialed scans can detect client side software in addition to software vulnerabilities and are executed on the host itself rather than across the network – a process that is not disruptive to operations and consumes far less system and network resources. Credentialed scans also offer deeper insight, providing greater visibility into the host by reading password policies, obtaining a list of USB devices, checking anti-virus software configurations and even enumerating Bluetooth devices attached to scanned hosts.

Yet, despite all the benefits, the IT director’s simple response was that it was too difficult to manage credentials individually on multiple security solutions in their distributed environment.

This customer’s challenge – the same challenge faced by many enterprise security professionals – highlights the impetus for Tenable and CyberArk’s technology integration which enables customers to maximize their existing investments and ease the process of protecting and managing privileged credentials for scanning across the enterprise.

This diagram provides a high-level visual of how the products work together:

When a credentialed scan is needed, Tenable’s solutions are configured to automatically query the CyberArk solution for privileged credentials. CyberArk provides the requested privileged credentials, and Tenable’s solutions use them to log into the target system to perform vulnerability and configuration auditing.

For the IT director with whom I spoke and many others in a similar situation, this integration offers the benefits of performing credentialed scans while at the same time eliminating the need to manually configure, store and rotate privileged credentials. This provides secure management and monitoring of privileged and administrative credentials. Furthermore, this integration allows organizations to more thoroughly address enterprise wide security mandates to lock down privileged credentials.

When it comes to IT security initiatives, many enterprises struggle to quantify business value and return on investment (ROI), viewing them solely as an insurance expense – a must-have in today’s era of inevitable attacks. But by implementing the right solutions, organizations can mitigate a multitude of security challenges while enabling business agility and achieving measurable operational benefits.

Industry experts estimate that 80 to 100 percent of serious security incidents involve the exploitation of privileged accounts. To understand how organizations can better protect themselves against advanced threats, my team at Nucleus Research recently explored a series of actual deployments of the CyberArk Privileged Account Security Solution. During a number of in-depth customer conversations, we not only found that the company’s suite of security tools drove a centralized and consistent approach to managing privileged access for reduced risk, but also significant business benefits, including increased productivity and reduced costs. We found that organizations can achieve complete payback from an initial CyberArk deployment within six months or less and gain greater ROI as the CyberArk platform is used over time.

Our discussion series revealed that while security remains a primary driver, there are three compelling reasons why customers were drawn to the CyberArk solution, including:

Ease of deployment, intuitive administrative interface and the ability to manage all privileged credentials in one vault enabled administrators to rapidly come up to speed on the solution and gain benefit.

Because customers could choose one initial area or component to address and extend the solution easily as they needed over time, they were able to flexibly respond to changing security needs with limited additional investment or disruption.

In the last post, we examined why it’s critical to manage the entire life-cycle of the privilege account. In this post, we’ll look at some best practices and how you can tell if your business is doing a good job of controlling the privileged account life cycle.

Five Key Questions to Ask about Privileged Accounts

To negate the risks associated with the privileged account life cycle, its critical to ensure these accounts exist only as long as they are needed for, and not a second longer. Mature management of your privileged accounts means a business will be able to answer the following five questions:

Why does this privileged account exist?

Who is accountable for its existence?

Who approved the existence and why?

When was the approval granted?

When last was the existence of this privileged account reviewed?

Only if you can answer all five of these questions capably can your company claim to be properly and truly in control of your privileged accounts. The key component that needs to be addressed is controlling the existence of your privileged accounts.

This should be achieved through the establishment of a definitive register of these accounts. The system used for this register is of no import; what matters is that it enables you to manage the life cycle of the account.

This encompasses recording decisions made around this life cycle, providing the reports and audit trails that are required by the organization, and most importantly, integrating with your existing environment and systems, in order to make the automation of the life cycle possible.

It must also be noted that being able to answer all five of these questions satisfactorily is only part of the challenge. More crucially, you need to understand that answering them may be of little worth unless you can prove to auditors that you have answered them accurately.

You have only arrived at true governance once you can demonstrate and substantiate the fact that the answers to these questions are comprehensive, accurate and reliable.

After all, as we mentioned earlier, the issues of governance, risk and compliance (GRC) are taking on an ever greater importance in most organizations, and with an effective GRC policy requiring proof for the auditors, being able to substantiate your answers to these five questions is more vital than ever.

Ultimately, however, the most important reason for ensuring complete and effective life cycle management for your privileged accounts boils down to ensuring your company’s own safety and security.

Bad management inevitably leads to points of access remaining open where people with mischief in mind will be able to gain access into your business.

This one little hole can then become a great big door through which an attacker – be they external or internal – can happily stroll through and cause untold amounts of damage to your organization. Badly managed privileged accounts are the equivalent of leaving your company’s back door wide open.